From ba8924113ca459d02ee67656a713f7ff494b968e Mon Sep 17 00:00:00 2001 From: Shaobo Song Date: Fri, 24 Jun 2022 23:02:17 +0800 Subject: [PATCH 1/2] tcg: Fix returned type in alloc_code_gen_buffer_splitwx_memfd() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes a bug in POSIX-compliant environments. Since we had allocated a buffer named 'tcg-jit' with read-write access protections we need a int type to combine these access flags and return it, whereas we had inexplicably return a bool type. It may cause an unnecessary protection change in tcg_region_init(). Cc: qemu-stable@nongnu.org Fixes: 7be9ebcf924c ("tcg: Return the map protection from alloc_code_gen_buffer") Signed-off-by: Shaobo Song Reviewed-by: Alex Bennée Message-Id: <20220624150216.3627-1-shnusongshaobo@gmail.com> Signed-off-by: Richard Henderson --- tcg/region.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tcg/region.c b/tcg/region.c index 71ea81d671..88d6bb273f 100644 --- a/tcg/region.c +++ b/tcg/region.c @@ -548,7 +548,7 @@ static int alloc_code_gen_buffer_anon(size_t size, int prot, #ifdef CONFIG_POSIX #include "qemu/memfd.h" -static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp) +static int alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp) { void *buf_rw = NULL, *buf_rx = MAP_FAILED; int fd = -1; From b0f650f0477ae775e0915e3d60ab5110ad5e9157 Mon Sep 17 00:00:00 2001 From: Ilya Leoshkevich Date: Mon, 11 Jul 2022 20:56:38 +0200 Subject: [PATCH 2/2] accel/tcg: Fix unaligned stores to s390x low-address-protected lowcore If low-address-protection is active, unaligned stores to non-protected parts of lowcore lead to protection exceptions. The reason is that in such cases tlb_fill() call in store_helper_unaligned() covers [0, addr + size) range, which contains the protected portion of lowcore. This range is too large. The most straightforward fix would be to make sure we stay within the original [addr, addr + size) range. However, if an unaligned access affects a single page, we don't need to call tlb_fill() in store_helper_unaligned() at all, since it would be identical to the previous tlb_fill() call in store_helper(), and therefore a no-op. If an unaligned access covers multiple pages, this situation does not occur. Therefore simply skip TLB handling in store_helper_unaligned() if we are dealing with a single page. Fixes: 2bcf018340cb ("s390x/tcg: low-address protection support") Signed-off-by: Ilya Leoshkevich Message-Id: <20220711185640.3558813-2-iii@linux.ibm.com> Reviewed-by: Richard Henderson Signed-off-by: Richard Henderson --- accel/tcg/cputlb.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index f90f4312ea..a46f3a654d 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -2248,7 +2248,7 @@ store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val, const size_t tlb_off = offsetof(CPUTLBEntry, addr_write); uintptr_t index, index2; CPUTLBEntry *entry, *entry2; - target_ulong page2, tlb_addr, tlb_addr2; + target_ulong page1, page2, tlb_addr, tlb_addr2; MemOpIdx oi; size_t size2; int i; @@ -2256,15 +2256,17 @@ store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val, /* * Ensure the second page is in the TLB. Note that the first page * is already guaranteed to be filled, and that the second page - * cannot evict the first. + * cannot evict the first. An exception to this rule is PAGE_WRITE_INV + * handling: the first page could have evicted itself. */ + page1 = addr & TARGET_PAGE_MASK; page2 = (addr + size) & TARGET_PAGE_MASK; size2 = (addr + size) & ~TARGET_PAGE_MASK; index2 = tlb_index(env, mmu_idx, page2); entry2 = tlb_entry(env, mmu_idx, page2); tlb_addr2 = tlb_addr_write(entry2); - if (!tlb_hit_page(tlb_addr2, page2)) { + if (page1 != page2 && !tlb_hit_page(tlb_addr2, page2)) { if (!victim_tlb_hit(env, mmu_idx, index2, tlb_off, page2)) { tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE, mmu_idx, retaddr);